Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 12:45
Static task
static1
Behavioral task
behavioral1
Sample
15052024_1245_Cognex 3512C Doc.js
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
15052024_1245_Cognex 3512C Doc.js
Resource
win10v2004-20240508-en
General
-
Target
15052024_1245_Cognex 3512C Doc.js
-
Size
7KB
-
MD5
c8b4efbf7ede4e5741be5e2ae2462b3b
-
SHA1
dc077b682365eef97c0ced977916fcb117743cf6
-
SHA256
deec2bd866af640bcaecd5357f54da87dd045c8017a8f8a76ac0068ce43eebaa
-
SHA512
eb98175eb0486b17ac217e5380ec771666d176fde50a3ecf416aafb2cef7b0e91ec8386417519b51f69fa381834571fbaae1f92a9baec0dc53d80515da5446d6
-
SSDEEP
192:pRn5hokWxcYy0AkSsDX5VF30Ver0O86+ISMquF4dOryL:fnckWx2kSsDX5P3L7+ISMq24dOryL
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral2/memory/3468-22-0x000001DFFDED0000-0x000001DFFE10E000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-28-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-64-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-59-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-52-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-50-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-48-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-44-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-42-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-40-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-38-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-36-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-34-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-32-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-30-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-26-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-46-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-24-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-23-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-78-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-76-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-86-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-84-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-82-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-80-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-74-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-72-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-70-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-68-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-66-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-62-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-60-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-56-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 behavioral2/memory/3468-54-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp family_zgrat_v1 -
Blocklisted process makes network request 3 IoCs
flow pid Process 2 3812 wscript.exe 4 3812 wscript.exe 8 3812 wscript.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation explorere -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{C2C9946F-BF9A-4B6A-A474-D93A39453B33}.lnk explorere -
Executes dropped EXE 4 IoCs
pid Process 3468 windows.exe 5088 windows.exe 3812 explorere 3972 explorere -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\windows\\explorere {0E5F88F2-8842-4587-BAA0-4F799FD9DF2C}" explorere -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3468 set thread context of 5088 3468 windows.exe 84 PID 3812 set thread context of 3972 3812 explorere 86 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3468 windows.exe Token: SeDebugPrivilege 3468 windows.exe Token: SeDebugPrivilege 3812 explorere Token: SeDebugPrivilege 3812 explorere -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3812 wrote to memory of 3468 3812 wscript.exe 81 PID 3812 wrote to memory of 3468 3812 wscript.exe 81 PID 3468 wrote to memory of 5088 3468 windows.exe 84 PID 3468 wrote to memory of 5088 3468 windows.exe 84 PID 3468 wrote to memory of 5088 3468 windows.exe 84 PID 3468 wrote to memory of 5088 3468 windows.exe 84 PID 3468 wrote to memory of 5088 3468 windows.exe 84 PID 3468 wrote to memory of 5088 3468 windows.exe 84 PID 3468 wrote to memory of 5088 3468 windows.exe 84 PID 3468 wrote to memory of 5088 3468 windows.exe 84 PID 3468 wrote to memory of 5088 3468 windows.exe 84 PID 3468 wrote to memory of 5088 3468 windows.exe 84 PID 5088 wrote to memory of 3812 5088 windows.exe 85 PID 5088 wrote to memory of 3812 5088 windows.exe 85 PID 3812 wrote to memory of 3972 3812 explorere 86 PID 3812 wrote to memory of 3972 3812 explorere 86 PID 3812 wrote to memory of 3972 3812 explorere 86 PID 3812 wrote to memory of 3972 3812 explorere 86 PID 3812 wrote to memory of 3972 3812 explorere 86 PID 3812 wrote to memory of 3972 3812 explorere 86 PID 3812 wrote to memory of 3972 3812 explorere 86 PID 3812 wrote to memory of 3972 3812 explorere 86 PID 3812 wrote to memory of 3972 3812 explorere 86 PID 3812 wrote to memory of 3972 3812 explorere 86
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\15052024_1245_Cognex 3512C Doc.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\ProgramData\windows\explorere"C:\ProgramData\windows\explorere" {4B08985C-0E0F-4678-84A8-2A0974B289FF}4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\ProgramData\windows\explorere"C:\ProgramData\windows\explorere"5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:3972
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5ef0124f238734460752a0de9e85501bc
SHA18dcbd7b8c753329ffc4a68a4bac8c3ab5ba62dfb
SHA2564a299f5b0de81d51e75d45e9b49e830e4230346329d9ed15197ddf1ac2853644
SHA5126aa0476b378bf34eb274ef2b62d8cb12f2c5014cae0e02a6ffea55e4c0fd009e07f8816b23bb6ad2ed57a0a8173668ae3c24f94bcecd131348c5347510fcac3c